Is Ad Tracking Data Personal?
Privacy International is a leading pressure group for better privacy rights for individuals. They have recently published their analysis of the proposed new EU Data Protection Regulation currently undergoing scrutiny.
Their report is extremely detailed, but I was interested to read in particular their criticism of the definition of personal data. I recently wrote about this as being central to the regulation, because it essentially defines the scope of the protection offered by it.
Privacy International thinks that the definition leaves too much room for individuals to be targeted by personalised web content, without consent.
Online behavioural profiling relies on technologies like cookies to identify a web user with a unique code. This unique code does not need to contain information that can identify an individual by other means – like a name or email address. However it does result in an individual online identity that can be used to determine what the person sees and experiences when they use the web.
That online identity is effectively tied to one person using the computer or other device to connect to the web. Even if a computer is shared in a household, in most cases people create their own login to that computer – and when this happens each user will have their own browser profile, which means their own collection of cookies and a unique history of sites visited. This results in an individual rather than shared profile with a tracking company.
On top of this an increasing number of people are connecting via mobile devices, which are even more likely to be personal becuase they are rarely shared.
Privacy International wants to see such tracking come under the definition of ‘personal data’, so that any information used to single out an individual would then require explicit consent for its use.
Its quite a compelling argument. The more time we spend online, the more of our personality, as seen through our online behaviour, is captured by tracking technology companies. The more website visits that can be strung together, the more individual our profile becomes. It may not have a name or address against it – but it is still the record of an individual and a record that is used to personalise the experience of that individual.
The advertising industry talks about online tracking as providing more relevant content to the individual, and the benefits this brings to all parties. This individualisation of the web has in many ways been a driver for its growth. But if that argument holds true then behavioural profiles surely must be personal data.
The difficulty however is that if this interpretation is held to be true, then such data collection will need to have explicit consent prior to taking place under the new Regulation. It is this that the ad industry is fighting hard against – because they know that this consent will be hard to get yet is vital to their current business model.
January 13, 2017
Future of EU Cookie Compliance Webinar: ...
GDPR and now the proposed E-Privacy Regulation mean a stricter regime for cookie compliance, web governance and use of online tracking technologies. Join p...View Article →
December 14, 2016
Draft EU ePrivacy Regulation Leaked...
A draft of the proposed legislation to replace the outdated EU ePrivacy Directive was leaked on the Politico.eu (PDF) website this week. The proposal is fo...View Article →
November 3, 2016
GDPR Compliance Means Cookie Notices Mus...
Are you one of those people that ticked the cookie law box ages ago and not thought about it since? Well the game has changed and now is the time to re-vis...View Article →